System requirements#

Operating systems#

All Blitz Identity Provider installation options and the server types involved support the following operating systems:

CentOS 7/8 Rocky Linux 8/9 AlmaLinux 8/9 RHEL 7/8/9 Oracle Linux 8/9

Minimum requirements#

Deployments with medium availability and performance requirements are recommended for preparation of test environments and production loops. Follow the scheme below.

:size=80%

2 virtual machines (hereinafter - VMs) with the following characteristics and roles is a minimum requirement for the deployment.

Minimum sever requirements for deployment

Description	Specifications	Software
VM for Applications (VM APP)	4 CPU cores, 8 GB RAM, 50 GB HDD (HDD)	Blitz Identity Provider: `blitz-idp`, `blitz-console`, `blitz-registration`, `blitz-recovery`, `blitz-keeper`; JDK, `nginx`, `memcached`
Database VM (VM DB)	4 CPU cores, 8 GB RAM, 100 GB HDD	PostgreSQL (9.6 or later) or Couchbase Server Community Edition (6.0 or later), 389 Directory Server or FreeIPA; RabbitMQ (optional)

Required software versions:

OpenJDK 8, Liberica JDK 8, Axiom JDK 8 Certified or Oracle JDK 8;
Memcached memory manager version 1.4.15 or higher.

Network connectivity requirements:

VM-APP shall be accessible via 80, 443 (HTTP/HTTPS) from user networks;
VM-APP must have access:
- to VM-DB via 8091, 8092, 8093, 11209, 11210, 11211, 4369, 21100 to 21199, 11214, 11215, 18091, 18092 (standard Couchbase Server ports), 5432 (standard PostgreSQL port), 389, 636 (standard LDAP ports), 5672 (standard RabbitMQ port);
- to external identity provider services via 443 port (if used):
  
  Links to the external identity provider services
  
  Type
  
  Reference
  
  Social networks
  
  https://appleid.apple.com
  
  https://accounts.google.com
  
  https://graph.facebook.com [1]
  
  [1]
  Meta is recognized as an extremist organization and is banned in Russia, while the activities of its social networks Facebook and Instagram are also banned in Russia.
- to SMS gateway (if used);
- to SMTP (if used);
- to push notification service (if you use it);
- to the Kafka service (when used to receive security reports).

Type	Reference
Social networks	`https://appleid.apple.com`
`https://accounts.google.com`
`https://graph.facebook.com` [1]

For VM-APP, you need to create a public DNS name (for example, auth.domain.ru) and issue a TLS certificate for auth.domain.ru or *.domain.ru.

Recommended requirements for cluster#

Deployment in a cluster configuration is shown in the scheme below. Comply with the given requirements when building productive authentication loops with high availability and peak performance requirements.

:size=80%

For deployment in a cluster configuration, it is recommended to use Virtual Machines (VMs) with the characteristics and functions listed in the table below.

Recommended server requirements for deployment in a cluster

Description	Q-ty	Specifications	Software	Comment
VM for web-servers (VM-WEB)	1-2	4 CPU cores, 4 GB RAM, 50 GB HDD	nginx	You can use an existing web server to load balance and remove TLS from incoming traffic
Blitz Identity Provider Application VM (VM-APP)	2	4 CPU cores, 8 GB RAM, 50 GB HDD (HDD)	Blitz Identity Provider: `blitz-idp`, `blitz-registration`, `blitz-recovery`, `blitz-keeper`; memcached JDK	It is recommended deploy each application of Blitz Identity Provider in on its own cluster on separate servers under heavy load
VM for console (VM-ADM)	1	2 CPU cores, 4 GB RAM, 100 GB HDD	Blitz Identity Provider: `blitz-console`; memcached JDK	It is recommended to configure this server to collect logs from different servers in the Blitz Identity Provider cluster
VM for DBMS (VM-DB):	2-3	For PostgreSQL: 4 CPU cores, 8 GB RAM, 100 GB HDD (data), 50 GB HDD (system). For Couchbase Server: 8 CPU cores, 16 GB RAM, 500 GB HDD (data), 100 GB SSD (indexes), 50 GB HDD (system).	PostgreSQL software (9.6 or later) or Couchbase Server Community Edition (6.0 or later)	For PostgreSQL, it is recommended to allocate one physical server for the main instance and one for standby. For Couchbase Server it is recommended minimum 3 VMs.
VM ofr LDAP (VM-LDAP)	2	4 CPU cores, 8 GB RAM, 100 GB HDD	389 Directory Server	As a storage you can use an existing storage based on LDAP, Microsoft Active Directory, FreeIPA, or other system of storing accounts and passwords (connection via REST connector).
VM for Queue server (VM-MQ)	1-2	4 CPU cores, 8 GB RAM, 50 GB HDD (HDD)	RabbitMQ version 3.7.9	Using a Queue server is optional
VM for the Load balancer (VM-NLB)	1-2	2 CPU cores, 4 GB RAM, 50 GB HDD	HAProxy, keepalived	Internal balancer is needed in case of LDAP and Queue server clustering

Required software versions:

OpenJDK 8, Liberica JDK 8, Axiom JDK 8 Certified or Oracle JDK 8;
Memcached memory manager version 1.4.15 or higher;

Network connectivity requirements:

VM-WEB shall be accessible via 80, 443 (HTTP/HTTPS) from user networks;
from VM-WEB there must be access to VM-APP via 9000 (blitz-idp), 9002 (blitz-registration), 9003 (blitz-recovery), 9012 (blitz-keeper) and VM-ADM via 9001 (blitz-console);
VM-APP must have access:
- to other VM-APPs and VM-ADMs via 11211 (memcached);
- to VM-DB via 8091, 8092, 8093, 11209, 11210, 11211, 4369, 21100 to 21199, 11214, 11215, 18091, 18092 (standard Couchbase Server ports) or 5432 (standard PostgreSQL port);
- to VM-LDAP (VM-NLB) via 389, 636 (standard LDAP ports);
- to VM-MQ (VM-NLB) via 5672 (the standard RabbitMQ port);
- to external identity provider services via 443 port (if used):
  
  Links to the external identity provider services
  
  Type
  
  Reference
  
  Social networks
  
  https://appleid.apple.com
  
  https://accounts.google.com
  
  https://graph.facebook.com [2]
  
  [2]
  Meta is recognized as an extremist organization and is banned in Russia, while the activities of its social networks Facebook and Instagram are also banned in Russia.
- to the SMS gateway (if used);
- to SMTP (if used);
- to push notification service (if you use it);
- to the Kafka service (when used to receive security reports).
VM-ADM must have access:
- to VM-DB via 8091, 8092, 8093, 11209, 11210, 11211, 4369, 21100 to 21199, 11214, 11215, 18091, 18092 (standard Couchbase Server ports) or 5432 (standard PostgreSQL port);
- to VM-LDAP (VM_NLB) via 389, 636 (standard LDAP ports);
- to VM-APP via 22 (ssh), 514 (rsyslog), 11211 (memcached);
- to VM-MQ (VM-NLB) via 5672 (the standard RabbitMQ port);
- to the Kafka service (when using it to receive security reports)
from the VM-DB shall have access to other VM-DBs via 8091, 8092, 8093, 11209, 11210, 11211, 4369, 21100 - 21199, 11214, 11215, 18091, 18092 (Couchbase Server ports) or 5432 (PostgreSQL port);
with VM-LDAP there must be access to other VM-LDAPs via 389, 636 (LDAP ports);
from the VM-MQ must have access to other VM-MQs via 4369, 35197, 5672.

Type	Reference
Social networks	`https://appleid.apple.com`
`https://accounts.google.com`
`https://graph.facebook.com` [2]

For VM-APP, you need to create a public DNS name (for example, auth.domain.ru) and issue a TLS certificate for auth.domain.ru or *.domain.ru.